topic Re: ISE BYOD: certificate generation failed in Network Access Control

ISE BYOD: certificate generation failed

ciscoworlds — Tue, 26 Jun 2018 10:47:49 GMT

Hi.

I followed the directions stated on the Youtube link "ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) - YouTube" but despite the mentioned configuration, again I get the same "Certificate Generation Failed" message during BYOD onboarding with single-SSID on my test Android 7.0 device. Also I'm using ISE 2.4 patch 1.

AS seen I've created a new condition and used it in a new Authz rule and put it before other rules. But I got no match hint and the same error message was and is still there!

I have a firewall between clients and ISE server, but permitted all traffic from those clients destined everywhere; So it could not be considered a firewall-related issue.

How can I fix this? And I don't understand why this is necessary? I've not seen such recommendation or configuration on regular admin guides, videos or even on Cisco press books!

Thanks in advanced.

Re: ISE BYOD: certificate generation failed

howon — Tue, 26 Jun 2018 23:37:27 GMT

Hossein, are you using EST as opposed to SCEP? If not, the suggestions in the video is irrelevant. I suggest configuring basic BYOD using the wireless setup wizard and make sure it works.

Re: ISE BYOD: certificate generation failed

ciscoworlds — Wed, 27 Jun 2018 06:07:03 GMT

Hi;

No I configured SCEP in my lab. I hadn't heard anything about EST till this week. Actually I followed BYOD instructions stated on Cisco Community and double checked it with ISE Admin Guide and Cisco Press BYOD (2nd edition) book.If EST is irrelevant while SCEP is configured, then it would called normal if I hadn't heard anything about it in official guides.

Do you have any idea of what would be the reason behind error "Certificate Generation Failed"?

Re: ISE BYOD: certificate generation failed

ciscoworlds — Wed, 27 Jun 2018 11:09:10 GMT

I delete the NSA from the Android device but after being redirected to the BYOD portal and clicking on the icon to download NSA app from Google Play, a message pops up asking me to login again to that SSID, which takes me to the first page of the BYOD portal and this loops continues. I get this error on the Android browser.

I tested it with other browsers but got the same type of error regarding SSL certificate of the webpage.

Re: ISE BYOD: certificate generation failed

Jason Kunst — Wed, 27 Jun 2018 12:11:33 GMT

That’s because you’re not using a valid certificate that the endpoints know about

If you’re a Cisco partner would recommend using our dCloud setup our Deploying ISE POV kit to understand how it works with proper setup as these come with a well known certificate

Re: ISE BYOD: certificate generation failed

ciscoworlds — Wed, 27 Jun 2018 15:20:28 GMT

So it's impossible to use Internal CA (without purchasing from a public well-known CA) along with BYOD. Did I get that right?

I checked the BYOD on my iPAD but it was unsuccessful too! I get redirected to the BYOD portal on ISE, but despite that I click on Trust and it shows the name of the certificate (as shown on the image), downloading the certificate fails.

I really got stuck.

Re: ISE BYOD: certificate generation failed

howon — Wed, 27 Jun 2018 15:29:52 GMT

Please follow the instruction here to trust the ISE certificate:

Trust manually installed certificate profiles in iOS - Apple Support

Re: ISE BYOD: certificate generation failed

ciscoworlds — Thu, 28 Jun 2018 06:16:00 GMT

Hi.

The problem is I cannot download the certificate at the first place (The displayed certificate on the image above "TLABSERVER-CA.cer" is my internal Root CA certificate that includes my root ca public key), so there is no any certificate listed on the General > About > Certificate Trust Settings page. It shows only the first line which is "Trust Store Version" on that page. When I touch Download Now link at the image above, it says "Download Failed".

This image shows Administration > System > Certificates > Certificate Authority > External CA settings page on ISE.

Re: ISE BYOD: certificate generation failed

howon — Thu, 28 Jun 2018 22:22:55 GMT

It looks like you are doing SCEP to external CA, is that what you are trying to do? If so have you configured MS CA to work with ISE? If this is not your intent or just to make sure onboarding is working, I suggest just leveraging internal CA instead.

Re: ISE BYOD: certificate generation failed

ciscoworlds — Fri, 29 Jun 2018 06:38:09 GMT

Hi.

Yes I'm using SCEP and configured MS ADCS exactly as stated on the various Cisco Community documents created for BYOD. I used these documents:

How To: ISE & BYOD: Onboarding, Registering & Provisioning

How To: ISE & BYOD: Using Certificates For Differentiated Access

The certificate template is created on ADCS server based on these Cisco guides. I double-checked the configs but it seems there is no difference between what I did and the docs. You can take a look at the configs by clicking on this link, if you want. https://1drv.ms/u/s!AtnSgqfSTcPBgYZJcYdKJApOoy_DsQ

I'm using:

ISE 2.4 patch 1
2 Windows server 2012 R2 computer (one as ADDC and another one as ADCS, which is not member of the internal domain)
Cisco WLC 2504 software version 8.0.121.0
Android 7.0
iOS 11.0

Re: ISE BYOD: certificate generation failed

hslai — Fri, 29 Jun 2018 20:05:07 GMT

On this Apple iPad, you are using FireFox app instead of the regular mobile Safari. Firefox is not opening the certificate, even if it downloaded, and installing it under Settings > General > Profiles.

First, ensure that the ACL is properly allowing access to the ISE PSN. And, then use Apple iOS mobile Safari, instead of Firefox app.

Re: ISE BYOD: certificate generation failed

hslai — Fri, 29 Jun 2018 20:10:20 GMT

The fact that the connection is untrusted to Google play store appears either due to the connection not permitted by your ACL or intercepted by a web proxy server.

Re: ISE BYOD: certificate generation failed

hslai — Sat, 30 Jun 2018 13:45:39 GMT

Looking at your Android screenshot again, it says the certificate is only valid for 1.1.1.1. Although no longer a recommended value for WLC virtual interface, 1.1.1.1 is likely what your WLC has for its virtual interface. If so, then it's an indication that the WLC ACL is not allowing the connection to play.google.com and that the WLC is enabled for HTTPS redirection.

If this is not helping, please engage Cisco TAC to troubleshoot further.

Re: ISE BYOD: certificate generation failed

ciscoworlds — Sat, 30 Jun 2018 15:58:15 GMT

I have 2 different ACLs on WLC, one for Android and one for iOS. (My ISE IP address is 10.1.204.168).

The only difference between 2 of them is URLs. Based on the docs I enabled HTTPS redirect on WLC. Shouldn't it be that way?

Re: ISE BYOD: certificate generation failed

hslai — Sun, 01 Jul 2018 00:09:04 GMT

The thing with Android ACL is that it keeps changing. I do not think your DNS ACL really working. Unfortunately, the one worked in our alpha network 1.5 years ago is no longer working to access Android Play store.

It would be easier to restrict the internal network access but to allow Internet or use a separate network to download the Cisco NSW app from the store.

Here is an ACL to restrict internal access from one of our test setups, where the internal network is 10.0.0.0/8, DNS is 10.1.100.10, and ISE 10.1.100.21:

(Cisco Controller) >show acl detailed PERMIT-Internet

Source Destination Source Port Dest Port

Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

1 In 0.0.0.0/0.0.0.0 10.1.100.10/255.255.255.255 17 0-65535 53-53 Any Permit 207

2 In 0.0.0.0/0.0.0.0 10.1.100.21/255.255.255.255 Any 0-65535 0-65535 Any Permit 1586

3 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 1 0-65535 0-65535 Any Permit 0

4 In 0.0.0.0/0.0.0.0 10.0.0.0/255.0.0.0 Any 0-65535 0-65535 Any Deny 43

5 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 34780

Re: ISE BYOD: certificate generation failed

hslai — Sun, 01 Jul 2018 02:44:39 GMT

Following Hosuk's Using DNS-Based ACL for Chromebooks and Android Devices, it's working for my Nexus 5X/Android 8.1 on a WLC 5520 running AireOS 8.5.131.0 and AP 2702i.

Earlier it was not working on vWLC running 8.0.120.0, due to CSCus61445.

Re: ISE BYOD: certificate generation failed

ciscoworlds — Wed, 04 Jul 2018 10:47:04 GMT

I pinged the various Google sites and created ACL entries on the WLC with those IP addresses and again it didn't work.

I tested on my iPAD, this time with Safari browser instead of Firefox, and this time I redirected a little further. It asked me to install a profile and after I accept the prompt, it installed the root CA, but it asked me to install the profile second time, but at this point I got an error message like this.

you can see that my root CA certificate has been verified at the first step. but the 2nd step failed.

Re: ISE BYOD: certificate generation failed

hslai — Wed, 04 Jul 2018 15:57:55 GMT

Since your domain is .local, I believe either your root CA is a private enterprise PKI or the server certificate is self-signed. In that case, please read how to Trust manually installed certificate profiles in iOS - Apple Support.

Re: ISE BYOD: certificate generation failed

hslai — Wed, 04 Jul 2018 19:10:34 GMT

For Google Android, I would suggest you to try the ACL PERMIT-Internet that I posted in comment 14. Or, get the NSW app first using another WLAN or some other means.

Re: ISE BYOD: certificate generation failed

Jason Kunst — Wed, 04 Jul 2018 22:16:11 GMT

I just worked with someone who had .local and apple doesn’t like that even if you manually install cert

You Will need to move away from using the TLD of .local